secretsquirrel / google-security-research

Automatically exported from code.google.com/p/google-security-research
3 stars 0 forks source link

Adobe Reader X and XI for Windows out-of-bounds read in AcroRd32.dll #143

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
The following access violation was observed in Adobe Reader X and XI for 
Windows:

(3ac.172c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=17625000 ebx=17624ff9 ecx=00000000 edx=c0c0c0d0 esi=00000000 edi=177adf99
eip=658326d2 esp=0051c798 ebp=17624ff1 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
AcroRd32_64fe0000!CTJPEGDecoderCreateUsingData+0xa69f2:
658326d2 0fb608          movzx   ecx,byte ptr [eax]         ds:0023:17625000=??
0:000> !heap -p -a eax
    address 17625000 found in
    _DPH_HEAP_ROOT @ 5591000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                                17610c30:         17624ee0              11f -         17624000             2000
    73128e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
    77085ede ntdll!RtlDebugAllocateHeap+0x00000030
    7704a40a ntdll!RtlpAllocateHeap+0x000000c4
    77015ae0 ntdll!RtlAllocateHeap+0x0000023a
    730fa792 vrfcore!VfCoreRtlAllocateHeap+0x00000016
    71473db8 MSVCR90!malloc+0x00000079
    65001e92 AcroRd32_64fe0000!AVAcroALM_Destroy+0x000137c4
0:000> k
ChildEBP RetAddr  
WARNING: Stack unwind information not available. Following frames may be wrong.
0051c80c 6582975e AcroRd32_64fe0000!CTJPEGDecoderCreateUsingData+0xa69f2
0051c810 0051c844 AcroRd32_64fe0000!CTJPEGDecoderCreateUsingData+0x9da7e

Notes:

- Reproduces on Adobe Reader X (10.1.12) and Adobe Reader XI (11.0.09) for 
Windows, on Windows 7, with Application Verifier enabled.

- The crash occurs after navigating to the ~27th page of the POC document.

- The “EAX” register points at the end boundary of a small allocated heap 
region.

- Attached samples: signal_sigsegv_f71fa75b_2469_2658.pdf (crashing file), 
2658.pdf (original file).

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without 
a broadly available patch, then the bug report will automatically become 
visible to the public.

Original issue reported on code.google.com by mjurc...@google.com on 30 Oct 2014 at 1:36

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by mjurc...@google.com on 30 Oct 2014 at 5:23

GoogleCodeExporter commented 9 years ago

Original comment by mjurc...@google.com on 31 Oct 2014 at 10:20

GoogleCodeExporter commented 9 years ago
http://helpx.adobe.com/security/products/reader/apsb14-28.html

Original comment by mjurc...@google.com on 10 Dec 2014 at 12:58